Load balancing HTTP/HTTPS with Pound on Ubuntu 14.10 Server

Sponsored Link
The Pound program is a reverse proxy, load balancer and HTTPS front-end for Web server(s). Pound was developed to enable distributing the load among several Web-servers and to allow for a convenient SSL wrapper for those Web servers that do not offer it natively. Pound is distributed under the GPL -- no warranty, it's free to use, copy and give away.

WHAT POUND IS

a reverse-proxy: it passes requests from client browsers to one or more back-end servers.
a load balancer: it will distribute the requests from the client browsers among several back-end servers, while keeping session information.
an SSL wrapper: Pound will decrypt HTTPS requests from client browsers and pass them as plain HTTP to the back-end servers.
an HTTP/HTTPS sanitizer: Pound will verify requests for correctness and accept only well-formed ones.
a fail over-server: should a back-end server fail, Pound will take note of the fact and stop passing requests to it until it recovers.
a request redirector: requests may be distributed among servers according to the requested URL.
Pound is a very small program, easily audited for security problems. It can run as setuid/setgid and/or in a chroot jail. Pound does not access the hard-disk at all (except for reading the certificate file on start, if required) and should thus pose no security threat to any machine.

WHAT POUND IS NOT

Pound is not a Web server: by itself, Pound serves no content -- it contacts the back-end server(s) for that purpose.
Pound is not a Web accelerator: no caching is done -- every request is passed "as is" to a back-end server.

Install Pound on ubuntu 14.10

Open the terminal and run the following command

sudo apt-get install pound

Pound Configuration

Pound configuration file locate at /etc/pound/pound.cfg so you need to edit this file to make the changes

Edit the Pund Confiuration File using the following command

sudo vi /etc/pound/pound.cfg

Configuring HTTP Load balancing

We'll need delete all the content within ListenHTTP block, once done it should look like this

ListenHTTP
End

Now we add an address and port to listen on and finally a line to remove an HTTP header

ListenHTTP
Address 0.0.0.0 # all interfaces
Port 80
HeadRemove "X-Forwarded-For"
End

This is a basic configuration, for each backend we want to load balance we'll need to add a service within that listener.

You'll notice we're removing incoming headers called X-Forwarded-For, this is to make sure someone doesn't try to craft them in to a request and abuse them.

ListenHTTP
Address 0.0.0.0 # all interfaces
Port 80
HeadRemove "X-Forwarded-For"

Service
BackEnd
Address 191.168.0.1
Port 80
Priority 1
End
BackEnd
Address 192.168.0.2
Port 80
Priority 1
End
End
End

Here we have added 2 BackEnds that connect to port 80, it's all pretty simple. Add as many as you want.

Pound will pass correct HTTP headers through to the backends so you configure those just like you normally would.

Configuring HTTPS Load balancing

this should only be done on a private network.

So, we'll create an HTTPS listened like the one above but with extra options.

ListenHTTPS
Address 0.0.0.0 # all interfaces
Port 443
AddHeader "X-Forwarded-Proto: https"
HeadRemove "X-Forwarded-Proto"
HeadRemove "X-Forwarded-For"
Cert "/path/to/certificate.pem

Service
BackEnd
Address 192.168.0.1
Port 80
Priority 1
End
BackEnd
Address 192.168.0.2
Port 80
Priority 1
End
End
End

You'll notice a few changes here, first we tell the HTTPS listener to listen on port 443 -- SSL port.

We add a header to pass back to our backend servers called X-Forwarded-Proto, this is so that on our backend we can inspect this header and use it if required to know we're secure.

We also remove incoming headers called X-Forwarded-Proto and X-Forwarded-For, this is to make sure someone doesn't try to craft them in to a request and abuse them.

Finally is the certificate which needs to be a PEM file with all certificates and keys within it and without passphrases.

Enabling Pound to start

Open the pound file

sudo vi /etc/default/pound

Change it from startup=0 to startup=1. Before doing this, Pound will refuse to start.

startup=0

to

startup=1

Starting Pound as Daemon Service

sudo /etc/init.d/pound start

Pound log file

By default pound log message using syslog:

# tail -f /var/log/messages
# grep pound /var/log/messages

Sponsored Link

Related posts

Leave a comment

Your email address will not be published. Required fields are marked *